Analysis
-
max time kernel
150s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-05-2021 03:05
Static task
static1
Behavioral task
behavioral1
Sample
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe
Resource
win7v20210408
General
-
Target
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe
-
Size
252KB
-
MD5
7e41570ab9678e9ab7d4ed8c7f1a008d
-
SHA1
0d9bb329e6c5d4ba4005a7ec7431c16c28df20e6
-
SHA256
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8
-
SHA512
63bcb5b37eda11106eac97fb63eaec57b1119b78a45d6aaf4ae0801e43e6c75c9f206dce4439bbd9fb57f4f3f4cdbb9f781beb02b8a4d60e05d956d8c915f1a6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1760 msdcsc.exe -
Processes:
resource yara_rule \ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe upx \ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe upx -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 576 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exepid process 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1760 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeSecurityPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeTakeOwnershipPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeLoadDriverPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeSystemProfilePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeSystemtimePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeProfSingleProcessPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeIncBasePriorityPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeCreatePagefilePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeBackupPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeRestorePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeShutdownPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeDebugPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeSystemEnvironmentPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeChangeNotifyPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeRemoteShutdownPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeUndockPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeManageVolumePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeImpersonatePrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeCreateGlobalPrivilege 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: 33 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: 34 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: 35 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe Token: SeIncreaseQuotaPrivilege 1760 msdcsc.exe Token: SeSecurityPrivilege 1760 msdcsc.exe Token: SeTakeOwnershipPrivilege 1760 msdcsc.exe Token: SeLoadDriverPrivilege 1760 msdcsc.exe Token: SeSystemProfilePrivilege 1760 msdcsc.exe Token: SeSystemtimePrivilege 1760 msdcsc.exe Token: SeProfSingleProcessPrivilege 1760 msdcsc.exe Token: SeIncBasePriorityPrivilege 1760 msdcsc.exe Token: SeCreatePagefilePrivilege 1760 msdcsc.exe Token: SeBackupPrivilege 1760 msdcsc.exe Token: SeRestorePrivilege 1760 msdcsc.exe Token: SeShutdownPrivilege 1760 msdcsc.exe Token: SeDebugPrivilege 1760 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1760 msdcsc.exe Token: SeChangeNotifyPrivilege 1760 msdcsc.exe Token: SeRemoteShutdownPrivilege 1760 msdcsc.exe Token: SeUndockPrivilege 1760 msdcsc.exe Token: SeManageVolumePrivilege 1760 msdcsc.exe Token: SeImpersonatePrivilege 1760 msdcsc.exe Token: SeCreateGlobalPrivilege 1760 msdcsc.exe Token: 33 1760 msdcsc.exe Token: 34 1760 msdcsc.exe Token: 35 1760 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1760 msdcsc.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1832 wrote to memory of 1988 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 1988 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 1988 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 1988 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 596 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 596 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 596 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 596 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe cmd.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 1832 wrote to memory of 576 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe notepad.exe PID 596 wrote to memory of 1764 596 cmd.exe attrib.exe PID 596 wrote to memory of 1764 596 cmd.exe attrib.exe PID 596 wrote to memory of 1764 596 cmd.exe attrib.exe PID 596 wrote to memory of 1764 596 cmd.exe attrib.exe PID 1988 wrote to memory of 1776 1988 cmd.exe attrib.exe PID 1988 wrote to memory of 1776 1988 cmd.exe attrib.exe PID 1988 wrote to memory of 1776 1988 cmd.exe attrib.exe PID 1988 wrote to memory of 1776 1988 cmd.exe attrib.exe PID 1832 wrote to memory of 1760 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe msdcsc.exe PID 1832 wrote to memory of 1760 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe msdcsc.exe PID 1832 wrote to memory of 1760 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe msdcsc.exe PID 1832 wrote to memory of 1760 1832 a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe msdcsc.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe PID 1760 wrote to memory of 1064 1760 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1764 attrib.exe 1776 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe"C:\Users\Admin\AppData\Local\Temp\a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
7e41570ab9678e9ab7d4ed8c7f1a008d
SHA10d9bb329e6c5d4ba4005a7ec7431c16c28df20e6
SHA256a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8
SHA51263bcb5b37eda11106eac97fb63eaec57b1119b78a45d6aaf4ae0801e43e6c75c9f206dce4439bbd9fb57f4f3f4cdbb9f781beb02b8a4d60e05d956d8c915f1a6
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
7e41570ab9678e9ab7d4ed8c7f1a008d
SHA10d9bb329e6c5d4ba4005a7ec7431c16c28df20e6
SHA256a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8
SHA51263bcb5b37eda11106eac97fb63eaec57b1119b78a45d6aaf4ae0801e43e6c75c9f206dce4439bbd9fb57f4f3f4cdbb9f781beb02b8a4d60e05d956d8c915f1a6
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
7e41570ab9678e9ab7d4ed8c7f1a008d
SHA10d9bb329e6c5d4ba4005a7ec7431c16c28df20e6
SHA256a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8
SHA51263bcb5b37eda11106eac97fb63eaec57b1119b78a45d6aaf4ae0801e43e6c75c9f206dce4439bbd9fb57f4f3f4cdbb9f781beb02b8a4d60e05d956d8c915f1a6
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exeMD5
7e41570ab9678e9ab7d4ed8c7f1a008d
SHA10d9bb329e6c5d4ba4005a7ec7431c16c28df20e6
SHA256a796c6a97f238d9c70c96069464ed124c93106366f21d101b299d5fcc611f8d8
SHA51263bcb5b37eda11106eac97fb63eaec57b1119b78a45d6aaf4ae0801e43e6c75c9f206dce4439bbd9fb57f4f3f4cdbb9f781beb02b8a4d60e05d956d8c915f1a6
-
memory/576-63-0x0000000000000000-mapping.dmp
-
memory/576-67-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/596-62-0x0000000000000000-mapping.dmp
-
memory/1064-74-0x0000000000000000-mapping.dmp
-
memory/1064-77-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1760-70-0x0000000000000000-mapping.dmp
-
memory/1760-76-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1764-65-0x0000000000000000-mapping.dmp
-
memory/1776-66-0x0000000000000000-mapping.dmp
-
memory/1832-60-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1832-59-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1988-61-0x0000000000000000-mapping.dmp